From ca25f72ef3b889e9173a62c785cd4bd4e1e63a2d Mon Sep 17 00:00:00 2001
From: Arne Teuke <arne_teuke@confdroid.com>
Date: Sun, 13 Aug 2017 14:55:59 +0100
Subject: [PATCH] added control for common-paths-file

---
 manifests/main/files.pp         | 27 ++++++++---
 manifests/params.pp             |  3 +-
 templates/paths_common_conf.erb | 81 +++++++++++++++++++++++++++++++++
 3 files changed, 104 insertions(+), 7 deletions(-)
 create mode 100644 templates/paths_common_conf.erb

diff --git a/manifests/main/files.pp b/manifests/main/files.pp
index 2aff38f..67d3323 100644
--- a/manifests/main/files.pp
+++ b/manifests/main/files.pp
@@ -31,7 +31,7 @@ class cd_fail2ban::main::files (
     # manage fail2ban.conf
 
     file { $fn_fail2ban_conf_file:
-      ensure    =>  present,
+      ensure    =>  file,
       path      =>  $fn_fail2ban_conf_file,
       owner     =>  'root',
       group     =>  'root',
@@ -47,7 +47,7 @@ class cd_fail2ban::main::files (
     # manage fail2ban.local
 
     file { $fn_fail2ban_local_file:
-      ensure    =>  present,
+      ensure    =>  file,
       path      =>  $fn_fail2ban_local_file,
       owner     =>  'root',
       group     =>  'root',
@@ -60,10 +60,10 @@ class cd_fail2ban::main::files (
       notify    =>  Service[$fn_service],
     }
 
-    # manage  jail.conf
+    # manage jail.conf
 
     file { $fn_jail_conf_file:
-      ensure    =>  present,
+      ensure    =>  file,
       path      =>  $fn_jail_conf_file,
       owner     =>  'root',
       group     =>  'root',
@@ -76,10 +76,10 @@ class cd_fail2ban::main::files (
       notify    =>  Service[$fn_service],
     }
 
-    # manage  jail.local
+    # manage jail.local
 
     file { $fn_jail_local_file:
-      ensure    =>  present,
+      ensure    =>  file,
       path      =>  $fn_jail_local_file,
       owner     =>  'root',
       group     =>  'root',
@@ -92,5 +92,20 @@ class cd_fail2ban::main::files (
       notify    =>  Service[$fn_service],
     }
 
+    # manage paths-common.conf
+
+    file { $fn_paths_common_file:
+      ensure    =>  file,
+      path      =>  $fn_paths_common_file,
+      owner     =>  'root',
+      group     =>  'root',
+      mode      =>  '0640',
+      selrange  =>  s0,
+      selrole   =>  object_r,
+      seltype   =>  etc_t,
+      seluser   =>  system_u,
+      content   =>  template($fn_paths_common_erb),
+      notify    =>  Service[$fn_service],
+    }
   }
 }
diff --git a/manifests/params.pp b/manifests/params.pp
index 2056c4d..4c56df4 100644
--- a/manifests/params.pp
+++ b/manifests/params.pp
@@ -206,7 +206,8 @@ $fn_jail_conf_file      = "${fn_main_dir}/jail.conf"
 $fn_jail_conf_erb       = 'cd_fail2ban/jail_conf.erb'
 $fn_jail_local_file     = "${fn_main_dir}/jail.local"
 $fn_jail_local_erb      = 'cd_fail2ban/jail_local.erb'
-
+$fn_paths_common_file   = "${fn_main_dir}/paths-common.conf"
+$fn_paths_common_erb    = 'cd_fail2ban/paths_common_conf.erb'
 
 # includes must be last
 
diff --git a/templates/paths_common_conf.erb b/templates/paths_common_conf.erb
new file mode 100644
index 0000000..9072136
--- /dev/null
+++ b/templates/paths_common_conf.erb
@@ -0,0 +1,81 @@
+# Common
+#
+
+[INCLUDES]
+
+after  = paths-overrides.local
+
+[DEFAULT]
+
+default_backend = auto
+
+sshd_log = %(syslog_authpriv)s
+sshd_backend = %(default_backend)s
+
+dropbear_log = %(syslog_authpriv)s
+dropbear_backend = %(default_backend)s
+
+# There is no sensible generic defaults for syslog log targets, thus
+# leaving them empty here so that no errors while parsing/interpolating configs
+syslog_daemon =
+syslog_ftp =
+syslog_local0 =
+syslog_mail_warn =
+syslog_user =
+# Set the default syslog backend target to default_backend
+syslog_backend = %(default_backend)s
+
+# from /etc/audit/auditd.conf
+auditd_log = /var/log/audit/audit.log
+
+exim_main_log = /var/log/exim/mainlog
+
+nginx_error_log = /var/log/nginx/*error.log
+
+nginx_access_log = /var/log/nginx/*access.log
+
+
+lighttpd_error_log = /var/log/lighttpd/error.log
+
+# http://www.hardened-php.net/suhosin/configuration.html#suhosin.log.syslog.facility
+# syslog_user is the default. Lighttpd also hooks errors into its log.
+
+suhosin_log = %(syslog_user)s
+              %(lighttpd_error_log)s
+
+# defaults to ftp or local2 if ftp doesn't exist
+proftpd_log = %(syslog_ftp)s
+proftpd_backend = %(default_backend)s
+
+# http://svnweb.freebsd.org/ports/head/ftp/proftpd/files/patch-src_proftpd.8.in?view=markup
+# defaults to ftp but can be overwritten.
+pureftpd_log = %(syslog_ftp)s
+pureftpd_backend = %(default_backend)s
+
+# ftp, daemon and then local7 are tried at configure time however it is overwriteable at configure time
+#
+wuftpd_log = %(syslog_ftp)s
+wuftpd_backend = %(default_backend)s
+
+# syslog_enable defaults to no. so it defaults to vsftpd_log_file setting of /var/log/vsftpd.log
+# No distro seems to set it to syslog by default
+# If syslog set it defaults to ftp facility if exists at compile time otherwise falls back to daemonlog.
+vsftpd_log = /var/log/vsftpd.log
+
+# Technically syslog_facility in main.cf can overwrite but no-one sane does this.
+postfix_log = %(syslog_mail_warn)s
+postfix_backend = %(default_backend)s
+
+dovecot_log = %(syslog_mail_warn)s
+dovecot_backend = %(default_backend)s
+
+# Seems to be set at compile time only to LOG_LOCAL0 (src/const.h) at Notice level
+solidpop3d_log = %(syslog_local0)s
+
+mysql_log = %(syslog_daemon)s
+mysql_backend = %(default_backend)s
+
+roundcube_errors_log = /var/log/roundcube/errors
+
+# Directory with ignorecommand scripts
+ignorecommands_dir = /etc/fail2ban/filter.d/ignorecommands